Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'use "no scrub"' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
use "no scrub"
Authored by: jcs on Mar 17, '06 08:17:27AM
if packet normalization is causing problems for certain hosts, just "no scrub" on those hosts, don't disable it altogether.

find the ip's of the .mac servers and exclude them before your scrub rules:

no scrub in from { x.x.x.x, x.x.x.y, ... }

your post said you're using openbsd 3.7, you may want to upgrade to 3.8 to fix a problem with "no scrub" rules, or purchase a 3.9 cd which is being released very soon.

[ Reply to This | # ]

re: use "no scrub"
Authored by: patsch on Apr 04, '06 02:26:41AM
following your advice I changed the lines concerning scrubbing in my to pf.conf to these:

#
# the list of "no scrub" hosts is a broad guess. i didn't narrow it down to the only "one" guilty.
#
no scrub in from { images.apple.com, www.mac.com, switch.atdmt.com, metrics.apple.com, swscan.apple.com, phobos.apple.com }
#
# the following two lines are taken from the "inventor" of pf at http://www.benzedrine.cx/pf.conf
#
scrub in on $ext_if all fragment reassemble
scrub out on $ext_if all random-id fragment reassemble

and, yes, you are right: things work that way! thanks!

[ Reply to This | # ]